Only the leader can do the INIT to have root. And followers only sync from the leader in the bootstrap process.
After the root, every SCM will add their own certs upon the root. The root cert and sub certs are signed by the leader so that they can trust each other. For now, SCM only creates self-signed certs.
We need to change init mode to rely on the root certs from the leader. Init workflow will need to wait for the other SCMs to hold and we make sure only 1 SCM is generating the root cert.